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18 July 1980 


MEMORANDUM FOR: Chief, ISSG/OS 

25X1 A FROM: | 

Deputy Chief, Information Management Staff 

SUBJECT: Draft Security Requirements for Automated 

Information Systems Located in Overseas 
Installations 


1. We have reviewed your draft on security requirements for 
overseas ADP applications. As CRAFT and other automated 
applications move toward implementation in the field, we are 
particularly anxious to regularize the planning and implementation 
of necessary security for these functions. Therefore, we present 
some comments and observations in the following paragraphs. 

2. In our view, it is essential to place the overall 
responsibility and approval authority for these applications on 
the Deputy Director for Operations . We see ISSG performing a 
critical function in terms of expert guidance and recommendations. 

But it is to be noted that likely NOC needs, certain operational 
applications and cover requirements will sometimes dictate 
applications outside of standardized security criteria. DCID 
1/16, for instance, was obviously written with CONUS systems, not 
field, ADP applications in mind. Also, must the Department of 
State, which is also automating overseas posts, honor DCID 1/16 
requirements for themselves , and how do we mesh with State on ADP 
security requirements? 

3. We can foresee that the Office of Communications will 
have a particularly significant role in the security of our 
overseas information systems. Notwithstanding your draft 
recommendation for a qualified ADP systems security officer in the 
field, the DO does not have positions to dedicate to this 
responsibility and, generally speaking, does not envision 
enlarging our overseas personnel strength as we move toward 
automation. It is, accordingly, very likely that the Office of 
Communications personnel in the field will perform many of the ADP 
systems security requirements you foresee. It is to be noted that 
the Office of Communications has already accepted responsibility 
for the maintenance of all (Agency Standard) CRAFT equipment to be 
located in DO field posts. Further, it is expected that some 

of the CRAFT equipment involved overseas may be housed in the 
station/base communications facility and thereby be principally 
affected by OC security requirements. 25X1 
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4. We believe the draft should also make mention of the role 
of IMS in the security of overseas information systems. The 
Directorate for Operations has centralized information management, 
with IMS specifically charged to plan, evaluate, test, pay first 
year costs for and install automated information systems in the 
field. In this respect, we speak for the user area divisions in 
such areas as audit trails, systems software and access controls. 


5. It would now seem appropriate for representatives from 
ISSG, ODP, the Office of Communications and IMS to review in 
common a number of technical considerations you raise in the 
draft. Some of our technical questions are attached. If you 
agree, we will schedule such a meeting. 


6. In the meantime, wh ere overseas CRAFT issues are 
involved, please contact Mr 


issues and planning involving automation in the fiel 
contact Ms . 


j For general 
a, p 


please 


Attachment: 
As stated 



cc: Director of Communications 

^Director of Data Processing 
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Information Management Staff Technical Questions 
Re Draft Security Requirements for Automated 
Information Systems Located in Overseas Installations 


1. Reference Paragraph III. A. 2. Clarification is required 
on the unique qualifications necessary for the position of field 
ADP System Security Officer. Under the CRAFT concept, there will 
be no ADP professionals at DO field stations and, therefore, the 
resident ADP knowledge will be superficial at best. 

2. Reference Paragraph IV. If intelligent programmable 
terminals, such as the Delta Data 7000, qualify as ADP systems 
vice user terminals, then this paragraph is considered overly 
restricted in terms of the definition and requirements for an "ADP 
Facility". 


25X1 


3. Reference Paragraph IV. A. 5b. and C.4d. For other 
security or operational reasons, it may be appropriate to have 
some CRAFT equipment in the communications vault area (not the OC 

It is suggested that this provision be 
recons idered xn view of physical space considerations at the field 
station and the expense of constructing and maintaining two 
separate secure areas. It is recognized that user terminals 
located within the communications vault could cause access control 
problems, but needed access to the minicomputers would be minimal. 
Further, the use of the communications personnel on site to 
perform those functions necessary to place the minicomputer in 
operation may well be the most desirable and efficient utilization 
of station personnel. In this latter case, it would then be 
advantageous to have the minicomputer co-located with the 
communications center. 


WARNING NOTICE 
INTELLIGENCE SOURCES 
AND METHODS INVOLVED 


Tor Release 


8* 


19 



25X1 





Approved ^Release 2002/1 1/1¥:CrA-RDP83T00553R0003001 3001 5-2 


5 Reference Paragraph IV. D. 4b (2). Ref erence _ should be 
provided to the "current security approved destruction procedure 

for magnetic media. 

6 Reference Paragraph IV.D.5a(l). Identification of 
terminals by location will require either modificat ion to stan dar 

J mpMD T?Q r r Annrnvp.d 1^0 


terminals u y iuuaLj.ua ^ - 

terminals ot the development of a TEMPEST approved , 

provide this capability. Guidance xn this area will be required 


F> 25X1 
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